Researchers at Jamf Threat Labs have detected a new campaign by hacker group Bluenoroff, a sub-group of the North Korean attackers Lazarus that specifically targets Apple MacOS devices. The attack uses a new malware called Rustbucket and its contagion scheme is multi-level and sophisticated.
The malicious MacOS is disguised as a “PDF Viewing” system application to initiate infection. However, whether the attack is successful ultimately depends on permission granted by the potential victim to run a malicious script after a Gatekeeper request.
If permission is given, the script loads useful data from a remote server and initiates the second stage of the attack which involves a completely working application for viewing PDF files on Objective-C. However, this application is used to initiate the next phase of the attack using a specific malicious PDF document.
One nine-page PDF document, discovered by Jamf Threat Labs, purported to offer a “profitable investment strategy”. However, when it is launched, the PDF sends a request to a C2-server to download and launch the third stage Trojan called “Mach-O”. This executable file is written on Rust and has the capability to launch an extensive range of system intelligence commands.
The researchers were “impressed” by the methods employed by the North Korean attackers in this campaign. They were unable to identify the starting point of the infection and determined that a certain PDF file, acting as the key to the harmful code, was required for a full analysis of the attack.